我们可以在 Java trustStore 中的逻辑文件夹结构中组织每个具有多个子项的证书链吗
[英]Can we organize each certificate chain with multiple children in logical folders structure in the Java trustStore
问题描述
Suppose for SSL/TLS I have 2 rootCA's CA1 and CA2 (both self signed) and each CA has signed and issued 5 end entity certificates each.
假设对于 SSL/TLS,我有 2 个 rootCA 的 CA1 和 CA2(都是自签名的),并且每个 CA 都签署并颁发了 5 个最终实体证书。 I have a requirement to store each rootCA and its corresponding 5 children public certificates in Java trustStore in some logical folder structure such that given the parent CA public certificate or alias I would like to retrieve all the corresponding child certificates issued.我需要将每个 rootCA 及其对应的 5 个子公共证书存储在 Java trustStore 中的某个逻辑文件夹结构中,这样在给定父 CA 公共证书或别名的情况下,我想检索所有相应的子证书颁发。 For Example, given the CA1 alias, I want to retrieve CA1 and only the child certificates issued by CA1 and the same applies to CA2.例如,给定 CA1 别名,我想检索 CA1,并且只检索 CA1 颁发的子证书,这同样适用于 CA2。
I have checked the Java's java.security.KeyStore which provides API to store certificate chain, but it takes in only the chain of trust where one parent and only one child can be added to truststore.我检查了 Java 的java.security.KeyStore ,它提供了 API 来存储证书链,但它只接受信任链,其中一个父级和一个子级可以添加到信任库。 We cannot add multiple child certificates at same level to that parent.我们不能将同一级别的多个子证书添加到该父级。 keytool utility also doesn't provide solution to my requirement. keytool 实用程序也没有为我的要求提供解决方案。
Is there any way we can store the parent to multi children certificates in logical folder structure in trust stores where I can retrieve all children relevant to particular parent alias?有什么方法可以将父级证书存储在信任存储的逻辑文件夹结构中的多个子级证书中,我可以在其中检索与特定父级别名相关的所有子级?
1 个解决方案
解决方案1
0 2020-04-22 19:47:27
You cannot store the certificates in a logical order in a java keystore.您不能将证书按逻辑顺序存储在 java 密钥库中。 A java keystore is basically a key-value (alias and entry) storage. java 密钥库基本上是一个键值(别名和条目)存储。 The entry can be a certificate or a secret key or a key pair (private key and corresponding certificate chain, which includes public key).该条目可以是证书或密钥或密钥对(私钥和相应的证书链,其中包括公钥)。
You have to write your own custom logic to achieve your requirements.您必须编写自己的自定义逻辑来满足您的要求。 You can identify if a certificate is signed by a given CA or not by looking at the issuerDN and subjectDN attributes of the certificate.您可以通过查看证书的issuerDN和subjectDN属性来确定证书是否由给定 CA 签名。 If a certificate is self-signed (like the CA certificate), the issuerDN and subjectDN will be the same.如果证书是自签名的(如 CA 证书),则issuerDN和subjectDN将相同。 If a certificate was signed by a CA, then the subjectDN of the CA is put in the issuerDN of the signed certificate.如果证书是由 CA 签署的,那么 CA 的 subjectDN 将放在已签署证书的 issuerDN 中。 This way you can identify the hierarchy of the certificate chain.这样您就可以识别证书链的层次结构。 However, if you are using this approach, you have to loop through all the certificates multiple times in your truststore.但是,如果您使用这种方法,则必须在您的信任库中多次循环访问所有证书。
I'm not sure what your use-case is, but if you need to use the truststore for SSL connection to a server, then it is best if you stored all the certificates in the same truststore and not worry about the logical order, and just feed the truststore into the JVM, and it will do the magic of identifying the right certificate to use.我不确定您的用例是什么,但是如果您需要使用 SSL 连接到服务器的信任库,那么最好将所有证书存储在同一个信任库中并且不用担心逻辑顺序,并且只需将信任库输入 JVM,它就会神奇地识别要使用的正确证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.